The Forward and Redirect Cheat Sheet is a technical guide that explains how URL Forward and Redirects attacks works . Forward and redirect attacks are possible when a web page accepts a redirection parameter (a url ) in a query-string. When using an URL as input string to a request being initiated from a browser, it is important to validate the URL. It is essential to determine that the redirect or forward is appropriate based on the request and the user is authorized to access the target.

+

−

The biggest risk of allowing a URL as input without validating it, may result in Phishing scams where users are redirected to malicious websites , which collects the users authentication session or steals the username and password.

+

−

+

−

== Programming URL redirects ==

+

−

When we want to redirect a user automatically to another page(without an action of the visitor such as clicking on a hyperlink) you might implement a code such as the following:

+

−

PHP

+

−

<?php

+

−

/* Redirect browser */

+

−

header("Location: http://www.mysite.com/");

+

−

?>

+

−

+

−

ASP.NET

+

−

Response.Redirect("~/folder/Login.aspx")

+

−

+

−

In these above examples , the URL is being explicitly declared in the code. Suppose you want to use this URL as a query string to allow a more dynamic way of programming, such building a URL list or saving these URL's in the database. In that case, the URL string instead of being hard coded, it's changed by a variable . The variable is a data type string which is later used in the code.

+

−

+

−

+

−

== Redirect Example ==

+

−

+

−

An application request is sent which contains a url as input,

+

−

malicious.example.com, from the example below. If this request includes

+

−

a url as input that is not validated by the server, the browser can be

+

−

redirected to a malicious url to perform any number of undesirable actions.

+

−

+

−

'''Example 1:'''

+

−

The following PHP code obtains a URL from the query string and then redirects the user to that URL.

+

−

+

−

$redirect_url = $_GET['url'];

+

−

header("Location: " . $redirect_url);

+

−

+

−

A similar example of C# .NET Vulnerable Code:

+

−

+

−

string url = request.QueryString["url"];

+

−

Response.Redirect(url);

+

−

+

−

+

−

The above code is vulnerable to an attack where it could be used as part of a phishing scam by redirecting users to a malicious site. For example,suppose the code is part the file example.php or login.aspx. An attacker could provide a user with the following link:

+

−

+

−

http://example.com/example.php?url=http://malicious.example.com

+

−

+

−

The user sees the link directing to the original trusted site (example.com) and does not realize the redirection that could take place

+

−

+

−

'''Example 2'''

+

−

+

−

ASP.NET MVC 1 & 2 websites are particularly vulnerable to open redirection attacks. In order to avoid this vulnerability, you need to apply MVC 3 .

+

−

The code for the LogOn action in an ASP.NET MVC 2 application is shown below. After a successful login, the controller returns a redirect to the returnUrl. You can see that no validation is being performed against the returnUrl parameter.

+

−

+

−

Listing 1 – ASP.NET MVC 2 LogOn action in AccountController.cs

+

−

+

−

[HttpPost]

+

−

public ActionResult LogOn(LogOnModel model, string returnUrl)

+

−

{

+

−

if (ModelState.IsValid)

+

−

{

+

−

if (MembershipService.ValidateUser(model.UserName, model.Password))

+

−

{

+

−

FormsService.SignIn(model.UserName, model.RememberMe);

+

−

if (!String.IsNullOrEmpty(returnUrl))

+

−

{

+

−

return Redirect(returnUrl);

+

−

}

+

−

else

+

−

{

+

−

return RedirectToAction("Index", "Home");

+

−

}

+

−

}

+

−

else

+

−

{

+

−

ModelState.AddModelError("", "The user name or password provided is incorrect.");

+

−

}

+

−

}

+

−

+

−

// If we got this far, something failed, redisplay form

+

−

return View(model);

+

−

}

+

−

+

−

== Forward Example ==

+

−

+

−

When applications allow user input to forward requests between different

+

−

parts of the site, the application must check that the user is authorized

+

−

to access the url, perform the functions it provides, and it is an

+

−

appropriate url request. If the application fails to perform these checks,

+

−

an attacker crafted URL may pass the application’s access control check and

+

−

then forward the attacker to an administrative function that is not

+

−

normally permitted.

+

−

+

−

http://www.example.com/function.jsp?fwd=admin.jsp

+

−

+

−

The following code is a Java servlet that will receive a GET request with a url parameter in the request to redirect the browser to the address specified in the url parameter. The servlet will retrieve the url parameter value from the request and send a response to redirect the browser to the url address.